Public Administration on the Internet: The Rules to Respect Citizens' and Employees' Privacy
Public Administration on the Internet: The Rules to Respect Citizens´ and Employees´ Privacy
Only indispensable information should be posted online, and it should remain online for the appropriate periods, whilst technological measures must be in place to prevent file manipulation and bulk duplication and special care is required in allowing external search engines to retrieve the data posted on an institutional website.
The Italian data protection authority laid down the rules to be complied with by public administrative bodies when posting administrative records and documents that contain personal data, so as to not to violate citizens´ and employees´ privacy and respect the principles set forth in the relevant legislation.
The Guidelines issued by the Italian DPA make up an initial set of measures and arrangements public administrative bodies are required to implement regardless of the purposes for which the information is posted online (transparency, publicity, access).
The Guidelines are the outcome of a complex preparatory activity and take also account of the considerations submitted by various public bodies, local authorities, and consumer associations as part of the public consultation launched by the DPA a few months ago.
The main points made in the Guidelines can be summarized as follows:
- Public administrative bodies may only post records/documents containing personal data online if this is provided for in laws and/or regulations; they must comply with data minimization, proportionality, and data relevance principles, whilst the ban on disseminating health-related data is left unprejudiced.
- The appropriate technological measures should be taken to prevent the online information from being erased, changed and/or extrapolated.
- The records/documents should be retrieved, if possible, by way of internal search engines, whilst the indexing of such records/documents by external search engines should be limited. Relying on internal search engines can ensure that access will be consistent with the purposes for which the information was disclosed as well as preventing the data from being tampered with and/or taken out of their context – i.e. this will prevent arbitrary extrapolation of the information along with the resulting impossibility to control their use.
- The data must remain available for no longer than is necessary in pursuance of the sector-related legislation. Failing such legislation, each public administrative body should determine the appropriate deadlines for removal of the posted data.
- Finally, alert systems and software should be deployed to prevent reproduction and re-use of the files containing personal data; such systems can detect and report any dubious access so as to take the adequate countermeasures.
Rome, 4 April 2011